add new ignore status

Signed-off-by: Markus Blaschke <[email protected]>

Author: mblaschke

auditor/auditor.keyvaultaccesspolicies.go

@@ -24,7 +24,7 @@ func (auditor *AzureAuditor) auditKeyvaultAccessPolicies(ctx context.Context, lo
 		matchingRuleId, status := auditor.config.KeyvaultAccessPolicies.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && auditor.config.KeyvaultAccessPolicies.IsMetricsEnabled() {
+		if status.IsDeny() && auditor.config.KeyvaultAccessPolicies.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				auditor.config.KeyvaultAccessPolicies.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.loganalytics.go

@@ -40,7 +40,7 @@ func (auditor *AzureAuditor) auditLogAnalytics(ctx context.Context, logger *zap.
 		matchingRuleId, status := config.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && config.IsMetricsEnabled() {
+		if status.IsDeny() && config.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				config.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.report.go

@@ -9,6 +9,7 @@ import (
 
 	yaml "gopkg.in/yaml.v3"
 
+	"github.com/webdevops/azure-auditor/auditor/types"
 	"github.com/webdevops/azure-auditor/auditor/validator"
 )
 
@@ -25,15 +26,16 @@ type (
 	}
 
 	AzureAuditorReportSummary struct {
-		Ok     int64
-		Failed int64
+		Ignore int64
+		Deny   int64
+		Allow  int64
 	}
 
 	AzureAuditorReportLine struct {
 		Resource map[string]interface{} `json:"resource"`
 		RuleID   string                 `json:"rule"`
 		GroupBy  interface{}            `json:"groupBy"`
-		Status   bool                   `json:"status"`
+		Status   string                 `json:"status"`
 		Count    uint64                 `json:"count"`
 	}
 )
@@ -73,7 +75,7 @@ func (report *AzureAuditorReport) Clear() {
 	report.Lines = []*AzureAuditorReportLine{}
 }
 
-func (report *AzureAuditorReport) Add(resource *validator.AzureObject, ruleID string, status bool) {
+func (report *AzureAuditorReport) Add(resource *validator.AzureObject, ruleID string, status types.RuleStatus) {
 	report.lock.Lock()
 	defer report.lock.Unlock()
 
@@ -82,13 +84,16 @@ func (report *AzureAuditorReport) Add(resource *validator.AzureObject, ruleID st
 		&AzureAuditorReportLine{
 			Resource: *resource,
 			RuleID:   ruleID,
-			Status:   status,
+			Status:   status.String(),
 		},
 	)
 
-	if status {
-		report.Summary.Ok++
-	} else {
-		report.Summary.Failed++
+	switch status {
+	case types.RuleStatusIgnore:
+		report.Summary.Ignore++
+	case types.RuleStatusDeny:
+		report.Summary.Deny++
+	case types.RuleStatusAllow:
+		report.Summary.Allow++
 	}
 }

auditor/auditor.resourcegraph.go

@@ -24,7 +24,7 @@ func (auditor *AzureAuditor) auditResourceGraph(ctx context.Context, logger *zap
 		matchingRuleId, status := config.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && config.IsMetricsEnabled() {
+		if status.IsDeny() && config.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				config.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.resourcegroups.go

@@ -21,7 +21,7 @@ func (auditor *AzureAuditor) auditResourceGroups(ctx context.Context, logger *za
 		matchingRuleId, status := auditor.config.ResourceGroups.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && auditor.config.ResourceGroups.IsMetricsEnabled() {
+		if status.IsDeny() && auditor.config.ResourceGroups.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				auditor.config.ResourceGroups.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.resourceproviderfeatures.go

@@ -22,7 +22,7 @@ func (auditor *AzureAuditor) auditResourceProviderFeatures(ctx context.Context,
 		matchingRuleId, status := auditor.config.ResourceProviderFeatures.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && auditor.config.ResourceProviderFeatures.IsMetricsEnabled() {
+		if status.IsDeny() && auditor.config.ResourceProviderFeatures.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				auditor.config.ResourceProviderFeatures.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.resourceproviders.go

@@ -23,7 +23,7 @@ func (auditor *AzureAuditor) auditResourceProviders(ctx context.Context, logger
 		matchingRuleId, status := auditor.config.ResourceProviders.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && auditor.config.ResourceProviders.IsMetricsEnabled() {
+		if status.IsDeny() && auditor.config.ResourceProviders.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				auditor.config.ResourceProviders.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/auditor.roleassignments.go

@@ -25,7 +25,7 @@ func (auditor *AzureAuditor) auditRoleAssignments(ctx context.Context, logger *z
 		matchingRuleId, status := auditor.config.RoleAssignments.Validate(object)
 		report.Add(object, matchingRuleId, status)
 
-		if !status && auditor.config.RoleAssignments.IsMetricsEnabled() {
+		if status.IsDeny() && auditor.config.RoleAssignments.IsMetricsEnabled() {
 			violationMetric.AddInfo(
 				auditor.config.RoleAssignments.CreatePrometheusMetricFromAzureObject(object, matchingRuleId),
 			)

auditor/types/const.go

@@ -0,0 +1,51 @@
+package types
+
+import (
+	"strings"
+)
+
+type RuleStatus int
+
+var (
+	RuleStatusIgnore RuleStatus = -1
+	RuleStatusDeny   RuleStatus = 0
+	RuleStatusAllow  RuleStatus = 1
+)
+
+func StringToRuleStatus(val string) RuleStatus {
+	val = strings.TrimSpace(val)
+	val = strings.ToLower(val)
+
+	switch strings.ToLower(val) {
+	case "-1", "ignore":
+		return RuleStatusIgnore
+	case "0", "false", "deny":
+		return RuleStatusDeny
+	case "1", "true", "allow":
+		return RuleStatusAllow
+	}
+	return RuleStatusDeny
+}
+
+func (s RuleStatus) String() (ret string) {
+	ret = "unknown"
+	switch s {
+	case RuleStatusIgnore:
+		ret = "ignore"
+	case RuleStatusDeny:
+		ret = "deny"
+	case RuleStatusAllow:
+		ret = "allow"
+	}
+	return
+}
+
+func (s RuleStatus) IsIgnore() bool {
+	return s == RuleStatusIgnore
+}
+func (s RuleStatus) IsDeny() bool {
+	return s == RuleStatusDeny
+}
+func (s RuleStatus) IsAllow() bool {
+	return s == RuleStatusAllow
+}

auditor/validator/validation.go

@@ -4,6 +4,8 @@ import (
 	"strings"
 
 	"github.com/prometheus/client_golang/prometheus"
+
+	"github.com/webdevops/azure-auditor/auditor/types"
 )
 
 type (
@@ -97,7 +99,7 @@ func (validation *AuditConfigValidation) CreatePrometheusMetricFromAzureObject(o
 	return labels
 }
 
-func (validation *AuditConfigValidation) Validate(object *AzureObject) (string, bool) {
+func (validation *AuditConfigValidation) Validate(object *AzureObject) (string, types.RuleStatus) {
 	resourceID := object.ResourceID()
 
 	if validation.Rules != nil {
@@ -108,7 +110,7 @@ func (validation *AuditConfigValidation) Validate(object *AzureObject) (string,
 					continue
 				} else {
 					// valid is not valid, returning here
-					return rule.Rule, rule.handleRuleStatus(object, false)
+					return rule.Rule, rule.handleRuleStatus(object, types.RuleStatusDeny)
 				}
 			}
 
@@ -127,7 +129,7 @@ func (validation *AuditConfigValidation) Validate(object *AzureObject) (string,
 						continue
 					} else {
 						// valid is not valid, returning here
-						return rule.Rule, rule.handleRuleStatus(object, false)
+						return rule.Rule, rule.handleRuleStatus(object, types.RuleStatusDeny)
 					}
 				}
 
@@ -138,5 +140,5 @@ func (validation *AuditConfigValidation) Validate(object *AzureObject) (string,
 		}
 	}
 
-	return "__DEFAULTDENY__", false
+	return "__DEFAULTDENY__", types.RuleStatusDeny
 }